trouble in induction paradise

Trouble in Induction Paradise

Consider the grammar rule for commands in our IMP language

C ::= skip |V := A |C ;C | if B then C else C end |while B do C end

Then the set Com contains all possible programs we can write in this language. Wecan give an inductive definition for this set,

1 skip ∈ Com

2 x := a ∈ Com if x ∈ Loc, a ∈ Aexp

3 c0 ; c1 ∈ Com if c0, c1 ∈ Com

4 if b then c0 else c1 end ∈ Com if b ∈ Bexp, c0, c1 ∈ Com

5 while b do c end ∈ Com if b ∈ Bexp, c ∈ Com

The first two rules are the least elements in Com and the remaining rules define terms

inductively. As in the case with the arithmetic expressions there is a clear ordering of

the terms.


Proposition: All programs terminate. Formally,1

∀c ∈ Com,∀σ ∈ Σ, ∃σ′ ∈ Σ. (c, σ) �→ σ′.

Proof: By induction on the structure of Com.

Case skip. Let σ ∈ Σ, then (skip, σ) �→ σ. Clearly terminates.

Case x := a. We have already established that arithmetic expressions terminate with(a, σ) �→ k where σ ∈ Σ and k ∈ I. It follows from the semantic rules for assignment,

(x := a, σ) �→ σ[k/x ].

This also terminates.

1This is of course silly, since we know that not all programs terminate, e.g., while true do skip end, but it is

interesting to see where exactly the proof fails.


Case c0 ; c1. As our induction hypothesis we assume that commands c0 and c1

terminate in all states. This means that they will also terminate for the following stateconfiguration:

(c0, σ) �→ σ′

(c1, σ′) �→ σ′′

Our inductive step then is,

(c0, σ) �→ σ′ (c1, σ′) �→ σ′′

(c0 ; c1, σ) �→ σ′′

Statement composition clearly terminates.


Case if b then c0 else c1 end. It can be shown that all boolean expressions terminate(similar proof as for the arithmetic expressions). As our induction hypothesis weassume that commands c0 and c1 terminate in all states,

(c0, σ) �→ σ′

(c1, σ) �→ σ′

Our inductive step then is, (a) for the case that the boolean evaluates to true,

(b, σ) �→ true (c0, σ) �→ σ′

(if b then c0 else c1 end, σ) �→ σ′

and (b) for the case that the boolean evaluates to false,

(b, σ) �→ false (c1, σ) �→ σ′

(if b then c0 else c1 end, σ) �→ σ′

Conditional statements terminate.


Case while b do c end. It can be shown that all boolean expressions terminate. As ourinduction hypothesis we assume that command c terminates in all states,

(c, σ) �→ σ′

Our inductive step then is, (a) for the case that the boolean evaluates to false,

(b, σ) �→ false

(while b do c end, σ) �→ σ

and (b) for the case that the boolean evaluates to true,

(b, σ) �→ true (c, σ) �→ σ′ (while b do c end, σ′) �→ σ′′

(while b do c end, σ) �→ σ′′

THE PROOF DOES NOT WORK! There are two different ways at looking at why itdoes not work:

If we were to assume that the premise given in red is true, then there is nothingto prove: the loop terminates because the loop terminates.

From a structural induction point of view this argument does not work becausethe premise given in red is not a strict subterm of the while loop.


Another way of interpreting the results from our proof; since theproof only failed for loops and was successful for the rest of thecommands we can say that the language of commands withoutloops would terminate for every state.


All this points to the observation that termination of loops cannot be determined bysimply looking at the syntax. Consider the following two loops,

while x ≥ 1 do x := x − 1 end

andwhile x ≥ 1 do x := x + 1 end

The first loop terminates for all possible states and the second loop only terminates

for states σ such that σ(x) < 1. It is clear that we can determine loop termination

only by looking at the computation/states more carefully.


The good news is that structural induction on commands only fails when we considersemantic issues, we can still use structural induction on commands when consideringsyntactic issues. Consider the following.

Proposition: All terms in Com have the same number of if/while and end keywords.

Proof: Proof by induction over the structure of Com. We let K(c) be the number ofoccurrences of keywords if and while and we let E(c) be number of occurrences of thekeyword end in c ∈ Com. We need to show that K(c) = E(c) for all c ∈ Com.

Case skip. Clearly, K(skip) = E(skip) = 0.

Case x := a. Arithmetic expressions cannot have keywords, therefore it is easy to seethat K(x := a) = E(x := a) = 0.

Case c0 ; c1. As our inductive hypothesis we assume that K(c0) = E(c0) andK(c1) = E(c1). Observe that the following identities hold,

K(c0 ; c1) = K(c0) + K(c1)

E(c0 ; c1) = E(c0) + E(c1)

We now show that K(c0 ; c1) = E(c0 ; c1) holds,

K(c0 ; c1) = K(c0) + K(c1)

= E(c0) + E(c1)

= E(c0 ; c1)


Case if b then c0 else c1 end. Boolean expressions do not containkeywords. As our inductive hypothesis we assume that K (c0) = E (c0)and K (c1) = E (c1). Observe that the following identities hold,

K (if b then c0 else c1 end) = K (c0) + K (c1) + 1

E (if b then c0 else c1 end) = E (c0) + E (c1) + 1

We now show that

K (if b then c0 else c1 end) = E (if b then c0 else c1 end)

holds,

K (if b then c0 else c1 end) = K (c0) + K (c1) + 1

= E (c0) + E (c1) + 1

= E (if b then c0 else c1 end)


Case while b do c end. Boolean expressions do not contain keywords. Asour inductive hypothesis we assume that K (c) = E (c). Observe that thefollowing identities hold,

K (while b do c end) = K (c) + 1

E (while b do c end) = E (c) + 1

We now show that

K (while b do c end) = E (while b do c end)

holds,

K (while b do c end) = K (c) + 1

= E (c) + 1

= E (while b do c end)

This concludes the proof. �

Assignment

HW#3 – see webpage.

Well-Founded Relations

The essential feature of sets that allows for induction is that the orderingrelation between elements in these sets do not give rise to infinitedescending chains – there has to be a minimal element!

Clearly, inductively defined sets satisfy this requirement.

Definition: A well-founded relation is a binary relation ≺ on a set A

such that there are no infinite descending chains · · · ≺ ai ≺ · · · a1 ≺ a0.

Here, a ≺ b means a is the predecessor of b.


We can express well-founded relations in terms of minimal elements.

Proposition: Let ≺ be a binary relation on a set A. The relation ≺ iswell-founded iff any nonempty subset Q of A has a minimal element, i.e.,an element m such that

m ∈ Q ∧ ∀b ≺ m.b �∈ Q.


Proof: “only-if” direction: Assume that ≺ is well-founded. Let Q be anonempty subset of A. We can construct a chain of elements in Q wherea0 is any element in Q and an ≺ · · · ≺ a0 is a chain where ai ∈ Q withi = 0, . . . , n. Observe that there is some b ∈ Q such that b ≺ an or thereis not. If not, then an ≺ · · · ≺ a0 is the largest chain in Q and we stopthe construction. Otherwise, take an+1 = b where an+1 ≺ an ≺ · · · ≺ a0.Since ≺ is well-founded, the chain cannot be infinite and will be of theform am ≺ · · · ≺ a0 where am is the minimal element as required.

“if” direction: By contradiction.2 Assume that every nonempty subset Q

of A has a minimal element. Now assume that ≺ is not well-founded,

that is, · · · ≺ ai ≺ · · · ≺ a1 ≺ a0 is an infinite descending chain in Q.

This implies the set Q = {ai | i ∈ N} would be nonempty without a

minimal element. A contradiction, therefore ≺ is well-founded. �

2Note: In proofs by contradiction we want to prove if A then B.In order to do so we assume A and ¬B and

show that this leads to a contradiction. Therefore, we conclude B.

Well-Founded Induction

Proposition: (Well-Founded Induction Principle) Let ≺ be awell-founded relation on a set A, let P be a predicate over theelements of A, then

∀a. P(a) iff ∀a,∀b. b ≺ a ∧ P(b) ⇒ P(a),

with a, b ∈ A.


In this formulation the condition

∀a, ∀b. b ≺ a ∧ P(b) ⇒ P(a)

is always false for minimal elements in A which makes the base caseproof vacuously true for these elements (Why?). It is therefore customaryto write the well-founded induction principle in two steps:

Proposition: Let ≺ be a well-founded relation on a set A, let P be apredicate over elements of A, then

∀e. P(e) iff ∀m. P(m) ∧ ∀a, ∀b. b ≺ a ∧ P(b) ⇒ P(a),

here e ∈ A, m ∈ A denotes the ≺-minimal elements in A, and a, b ∈ A

are non-minimal elements of A.


Proof: “only-if” direction: Assume that P(e), ∀e ∈ A, this clearly impliesthat ∀m. P(m) ∧ ∀a, ∀b. b ≺ a ∧ P(b) ⇒ P(a) holds.

“if” direction: By contradiction. Assume that∀m. P(m) ∧ ∀a, ∀b. b ≺ a ∧ P(b) ⇒ P(a) holds. Suppose P is not truefor every a ∈ A. Since ≺ is a well-founded relation, the setQ = {a ∈ A | ¬P(a)} has a ≺-minimal element n with ¬P(n). If thiselement is an ≺-minimal element of A itself, then the condition∀m ∈ A.P(m) gives rise to P(n), a contradiction. If the element n has≺-predecessors say b ≺ n and b �∈ Q, then by assumption we have P(b)for every b and by condition ∀a, ∀b. b ≺ a ∧ P(b) ⇒ P(a) we have P(n),a contradiction. Therefore, P(a) has to hold for all a ∈ A.3 �

This shows that the “domino principle” has to hold for all elements in anordered set.

3Reference: PlanetMath.org

Well-Founded Induction on States

Proposition: Prove that p ≡ while x ≥ 1 do x := x − 1 end terminates,i.e.,

∀σ ∈ Σ, ∃σ′ ∈ Σ.(p, σ) → σ′.

Proof Idea: The key to loop termination is the loop condition. The

proof approach here is to group the states into two sets: (a) The set of

states where the loop terminates trivially, that is, all states σ where

σ(x) ≤ −1. (b) The set of states where we need to explicitly show that

the loop terminates, all states σ where σ(x) ≥ 0. In the latter set we

create an ordering based on the loop index x and then perform

well-founded induction on the states using states with the loop index of 0

as the basis and any state with loop index value k for the inductive step.


Proof: It is easy to see that for all states σ ∈ Σ where σ(x) ≤ −1 wehave (p, σ) → σ. It remains to show that p terminates for states σ whereσ(x) ≥ 0. Let S = {σ ∈ Σ |σ(x) ≥ 0}. Define the predicate P over S as

P(σ) ≡ ∃σ′.(p, σ) → σ′.

Define the relation ≺ over S as σ′ ≺ σ iff σ(x) = σ′(x) + 1. Clearly, therelation ≺ is well-founded because no infinite chains · · · ≺ σn ≺ · · · ≺ σk

such that σi (x) ≥ 0 can exists. We also observe that σm ∈ S such thatσm(x) = 0 are minimal elements in S . We apply the principle ofwell-founded induction

∀σ. P(σ) if ∀σm. P(σm) ∧ ∀σ, ∀σb . σb ≺ σ ∧ P(σb) ⇒ P(σ).


Base case: For minimal elements in S we have σm(x) = 0, it follows that(p, σm) �→ σm. Clearly, P(σm) holds.

Inductive step: Assume that we have some state σ such that σ(x) = k with k ≥ 1.As the inductive hypothesis we assume that P(σ) holds. Now letσ ≺ σ++, such that σ++(x) = σ(x) + 1 and σ++(y) = σ(y) withy �= x , then we have

.

.

.

(x ≥ 1, σ++) �→ true

.

.

.

(x := x − 1, σ++) �→ σ (p, σ) �→ σ′

(p, σ++) �→ σ′

The rightmost premise holds due to our inductive hypothesis. Tocomplete the proof we need to show that the states σ++ and σ arerelated to each other via the assignment x := x − 1, specifically,

σ++[(σ++(x) − 1)/x] = σ++[(σ(x) + 1 − 1)/x] = σ++[σ(x)/x] = σ

The rightmost identity follows from the extensionality property offunctions and the identities above.

Therefore, the program p terminates for all σ ∈ Σ. �

Structural Induction

Read David Schmidt, Section 1.2

trouble in induction paradise

Documents